What TrickBot tells us about the future of

What TrickBot tells us about the future of malware 
Malware attackers are increasingly sophisticated. Here’s what to know 
On TrickBot and the future of malware 


Malware threats have plagued organizations for decades, but that’s no reason to be complacent with a security strategy that has to date protected your organization. Now more than ever, malware is quickly evolving — operating at increasingly complex levels of infectiousness and evasiveness, and swiftly spreading into the Internet of Things and the cloud. But beyond the acceleration of novel and unique malware activity, the threat groups behind them have grown more resilient and pervasive. 


We’ve entered a concerning new chapter in the metamorphosis of malware. Today, cybercriminal groups often have highly skilled developers; decentralized, corporate-like operations; and partnerships with other threat actors that allow them to evolve and quickly rebound from setbacks. The apparent end goal for these collectives is to create more victims and share the spoils, rather than compete against each other to infect the same victims. 

One such example is the TrickBot gang, which IBM Security X-Force has observed for years. According to this year’s IBM Security X-Force Threat Intelligence Index, TrickBot was one of 2021’s most active threat groups. Tracked as ITG23, also known as Wizard Spider, the notorious malware gang is best thought of as a group of groups, all of which report to “upper management” — not unlike a large corporation. The collective shares infrastructure, support functions and has IT teams, recruiters and even human resources. These attributes make ITG23 more agile and resilient to disruptions and shutdowns. 


Charting the evolution of TrickBot malware 

TrickBot malware emerged in 2016 as a trojan initially used to facilitate online banking fraud. Alongside Qakbot, Zeus, Dridex and Gozi, TrickBot was essentially another banking trojan. But ITG23 soon expanded its operations.  


The TrickBot trojan evolved to include modules capable of stealing credentials and browser data, gaining remote access and moving laterally. In addition to the TrickBot trojan, the group now operates multiple malware families including BazarBackdoor, Anchor, Conti ransomware and ransomware as a service (RaaS)


With expanded capabilities, ITG23 has become a destructive and even lethal cybercriminal group. ITG23 targets stressed organizations, preys on victims’ fears, and takes advantage of current events with an aggressive expansion of malware distribution channels and infection methods. The following four examples demonstrate the group’s breadth:  


  • During the early days of the pandemic in 2020, the gang attacked the online systems of more than 400 U.S. hospitals. “There’s gonna be a panic,” wrote one ITG23 hacker in the organization’s chatroom. The group flooded network users with targeted phishing campaigns containing links to malware-hosting websites. One hospital in Santa Rosa, California, had to make appointments manually after the gang forced the organization offline. 

  • Attackers also hit private medical practices with the Conti ransomware, bankrupting some businesses by erasing their entire patient records when they couldn’t pay a ransom. In other cases, the TrickBot group withheld decryption keys from victims even after they paid a ransom. 

  • In 2020, ITG23 targeted financial institutions by creating fake DocuSign emails that exposed their entire financial systems to ransomware when clicked by unwitting employees. 

  • ITG23 has a link to a fake call center operated by a group called BazarCall, tracked as Hive0105. In one of its recent BazarCall campaigns, ransomware distributors sent fake emails announcing the recipient had received tickets for a Justin Bieber concert. 


According to the 2022 X-Force Threat Intelligence Index, ransomware groups on average survive 17 months before rebranding or shutting down. The TrickBot gang has lasted much longer, though it has suffered setbacks over the past year. In June 2021, the U.S. Department of Justice arrested and arraigned Alla Witte, an alleged ransomware creator for the TrickBot group. In October, South Korea extradited another alleged TrickBot developer, Vladimir Dunaev, to the United States to face federal charges.  
In December 2021, the gang sunset the TrickBot malware, then did the same with its BazarLoader malware in February 2022. That same month, the gang suffered another blow when a Ukrainian security researcher released internal chat logs, now known as ContiLeaks. The logs publicized some 30 vulnerabilities targeted by Conti ransomware, which ITG23 operates as a service. But the logs also revealed a sophisticated organization that invested millions in its own infrastructure — even offering paid vacation days to employees. 


Massive resources make it easy for malware groups to recover, shape-shift, and re-emerge. The TrickBot gang is no exception. ITG23 continues to operate its Anchor backdoor, Diavol ransomware and, despite ContiLeaks, Conti ransomware, which recently added the Costa Rican government to its list of victims. Why does this matter? Because sophisticated groups like ITG23 are more capable of deploying sophisticated, multistage attacks with each stage possessing varying levels of infectiousness and evasiveness.  
Consider how TrickBot’s partnership with the Emotet group worked. Previous phishing campaigns used weaponized documents to install Emotet malware. Emotet then downloaded TrickBot malware, which invoked its own downloader capabilities to drop a Ryuk payload on the infected machine. In 2021, ITG23’s Ryuk was the second-most observed ransomware strain, responsible for 13% of all ransomware incidents. 


X-Force believes ITG23 has connections to IcedID malware and is likely behind the recent Bumblebee downloader. In the end, while a competitor of ITG23 would reasonably include any major cybercriminal group or RaaS operation, attackers view each other as co-conspirators, not competitors. 

Protecting your organization against malware 
C-suite leaders should understand the sophistication, frequency, impact and consequences of malware threats. How does it infiltrate? How do we minimize risk? And how do we quickly detect malware?  


Consider the following four solutions for a holistic security strategy: 


  • A zero trust approach is a “never trust, always verify” concept. Whether you are a CEO, a sales associate or a business partner, a zero trust strategy examines every login for malware and other security threats. With the implementation of multifactor authentication and the principle of least privilege, a zero trust approach has the potential to decrease organizations’ susceptibility to different types of attacks, including malware. 

  • Phishing operations emerged as the top pathway to compromise in 2021, with 41% of the incidents X-Force remediated using this technique to gain initial access. Recommendations to effectively combat phishing are email software security solutions and regular employee education, as all employees share the responsibility of keeping their organizations secure. 

  • Vulnerability exploitations increased by 33% from 2020 to 2021, according to the X-Force Threat Intelligence Index. Organizations should mature and refine their vulnerability management solutions

  • Finally, organizations need defenses to spot malware and lateral movement. These defenses include behavioral-based antimalware detection, endpoint detection and response (EDR), intrusion detection and prevention solutions (IDPS) and a security information and event management (SIEM) system. 

Thanks to these security solutions, malware has to work harder to go undetected, but threat actors will continue to evolve, innovate and partner together. Having control over today’s threat landscape means understanding the evolution of malware in any environment. 

The post What TrickBot tells us about the future of appeared first on Security Intelligence.